Active Directory:从域组件中检索数据

时间:2018-07-26 21:50:45

标签: powershell active-directory

我想从活动目录中获取所有用户和组(该用户所属的组)。我有以下这样的powershell脚本,该脚本仅向我提供来自特定OU的用户,并且显然还有一些未出现在结果中的组,可能是因为他们仅限于“ ITE” OU:

$UsersPerGroup = Get-ADUser -Filter * -SearchBase "OU=Users,OU=ITE,OU=HQ,DC=idb,DC=iadb,DC=org" -Properties DisplayName, memberof | % {
    New-Object PSObject -Property @{
    UserName = $_.DisplayName
    Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ","
    }
} |Sort-Object UserName | Select UserName, Groups

我想更改它,以便我从“ idb”级别获得所有数据,而不仅仅是“ ITE”

我尝试的是以下脚本:

#Get Membership of Users
$UsersPerGroup = Get-ADUser -Filter * -SearchBase "DC=idb,DC=iadb,DC=org" -Properties DisplayName, memberof | % {
    New-Object PSObject -Property @{
    UserName = $_.DisplayName
    Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ","
    }
} |Sort-Object UserName | Select UserName, Groups

我得到了许多错误的列表:

Get-ADGroup : Cannot find an object with identity: 'CN=RandSATestStubbing,CN=Users,DC=iadb,DC=org' under: 'DC=idb,DC=iadb,DC=org'.
At line:4 char:25
+ Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -j ...
+                         ~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=RandSATestSt...,DC=iadb,DC=org:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup



Get-ADGroup : Cannot find an object with identity: 'CN=Exchange Recipient Administrators,OU=Microsoft Exchange Security Groups,DC=iadb,DC=org' under: 'DC=idb,DC=iadb,DC=org'
At line:4 char:25
+ Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -j ...
+                         ~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=Exchange Rec...,DC=iadb,DC=org:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup



Get-ADGroup : Cannot find an object with identity: 'CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=iadb,DC=org' under: 'DC=idb,DC=iadb,DC=o
At line:4 char:25
+ Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -j ...
+                         ~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=Exchange Org...,DC=iadb,DC=org:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

...列表继续

我也尝试过:

$UsersPerGroup = Get-ADUser -Filter * -SearchBase "DC=idb,DC=iadb,DC=org" -Properties DisplayName, memberof | % {
    New-Object PSObject -Property @{
    UserName = $_.DisplayName
    Groups = ($_.memberof | % { Get-ADGroup -Identity $_ -Server ($_ -replace '^.*?DC=','DC=') } | Select -ExpandProperty Name) -join ","
    }
} |Sort-Object UserName | Select UserName, Groups

问候!

1 个答案:

答案 0 :(得分:0)

将您的域中您要从其开始搜索的级别的searchbase参数更新为DN(distinguishedName)。

AD模块不追逐引用(跨域),因此在将“ memberof”传递到Get-ADGroup时必须指定正确的域。尝试(未试用):

#Get Membership of Users
$UsersPerGroup = Get-ADUser -Filter * -SearchBase "DC=idb,DC=iadb,DC=org" -Properties DisplayName, memberof | % {
    New-Object PSObject -Property @{
    UserName = $_.DisplayName
    Groups = ($_.memberof | % { Get-ADGroup -Server ($_ -replace '^.*?DC=' -replace ',DC=', '.') | Select -ExpandProperty Name) -join ","
    }
} |Sort-Object UserName | Select UserName, Groups
相关问题
最新问题